InformIT: comparing static analysis tools

[Gary McGraw <gem () cigital com>]

hi sc-l,

John Steven and I recently collaborated on an article for informIT.  The article is called "Software [In]security: 
Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is available here:
http://www.informit.com/articles/article.aspx?p=1680863

Now that static analysis tools like Fortify and Ounce are hitting the mainstream there are many potential customers who 
want to compare them and pick the best one.  We explain why that's more difficult than it sounds at first and what to 
watch out for as you begin to compare tools.  We did this in order to get out in front of "test suites" that purport to 
work for tool comparison.  If you wonder why such suites may not work as advertised, read the article.

Your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________